« February 2004 | Main | September 2004 »

May 20, 2004

List of Ingredients

One of the reasons I decided to use Movable Type to run this blog was that you get the source, which means you can poke around with it if you want to. In addition, lots of other people have already written plugins for the basic system.

This article describes the ingredients that go together to make the current Technology Stir Fry. I plan to update it when I make significant changes to the site.

[Latest update 20040520: Upgraded MT-Blacklist to V1.63, then to V1.64.]

The basic system is Movable Type V2.65. I'd like to avoid modifying this directly as much as possible in order to make upgrading to any future version of Movable Type less of a hassle. All customisation has therefore been done at the level of templates and plug-ins.

[I had previously applied Yoz Graham's quick-delete patch (see tip 6 on that page) as a way to quickly remove comment spam, but MT-Blacklist (see below) has made that unnecessary so I have been able to go back to a pristine Movable Type installation.]

I'm using the following Movable Type plugins:

MTAmazon is from Adam Kalsey; MT-Blacklist is from Jay Allen; the other plugins are from the prolific Brad Choate.

MTAmazon and KeyValues are used together such that I can put multiple Amazon ASIN product codes into an article's keywords field and have images of and links to those products appear at the head of the article.

[I originally used Macros, Regex and PerlScript to implement Jay Allen's comment spam killer. It wasn't as hard as it looked, mainly cut-and-paste from his instructions. However, his new MT-Blacklist plugin is much better and I have switched over to using that now.]

For article submission, most of the time I just use Movable Type's standard web interface. I have occasionally used w.bloggar, a Windows application, for the same purpose. If I was running several blogs at once, something like w.bloggar would be indispensable. To read other people's blogs, plus news sites, I use a Windows desktop aggregator called FeedReader.

The only other tools I've used so far have been Adobe GoLive 6 for site maintenance and my trusty copy of Adobe Photoshop 7 for image noodling. Both are sledgehammers for the nuts in question, but I use them all the time so they are the tools I'm used to.

Last but not least, like probably every other Movable Type user, I've tweaked the standard styles and templates over time so that they do more of what I want and less of the standard stuff. The first thing I changed was to pick the Georgia Blue style from the gallery, but I've also made a lot of changes to the elements that appear in different parts of the site. The style and templates are held in the database and not source controlled (I store everything else in CVS, just in case) but if I ever want to go back to the originals, they are all available on the Movable Type site.

Posted by Ian at 10:00 PM in Site Updates | Permalink

Arms Race

While listening to an interview with Bruce Schneier recently, I was struck by his depiction of the problem of the red and blue doors. Simply put, he observes that much security thinking is (given the way politics works) inevitably built around watching which door the bad guys go through, then putting guards on it. Money spent, "something has been done", problem solved.

Unfortunately, the bad guys aren't that stupid; if you put guards on the red door, they will stop going through it and just go through the blue door instead. You've spent money, effort and political capital implementing a "solution" that doesn't work in the face of their adaptation: in other words, you've made them do something they wouldn't have done if you hadn't put the guards on the red door, but your security hasn't improved. In the example of the doors, the opponents are simply choosing a different, probably equally accessable target; this is the enduring problem in fighting terrorism in a reactive way, and also applies to malware. There are no shortage of ways to write a virus, or e-mail spam, or a phishing attempt.

If we manage to get a little ahead of the opponent by depriving him of easy alternative targets, we might think we get to win the game. Again, that relies on the idea that the opponent is static; that only we have the ability to adapt. What actually happens is that in the absence of easy alternatives, we force our opponent up the technological ladder instead. Spam has to be much more sophisticated to get past filtering systems now, and so it is; viruses need to be much more devious to get past anti-virus programs, and we now observe viruses that come in encrypted .zip files along with captcha-encoded passwords embedded as images in the message.

In short, if we get really good at defense, we swap the game of technological whack-a-mole for a possibly even more expensive evolutionary arms race.

I got another taste of this today when this blog was hit by a storm of comment spam, all apparently advertising one or two web sites. I've been running Jay Allen's MT-Blacklist plug-in for some time, and it is pretty much the ultimate in whack-a-mole solutions as long as you keep the blacklist updated. The worrying thing here is that the wily comment spammer had encoded each of the advertising URLs differently, using numeric entities for a different selection of characters in the URL so that it is harder to include all of the possible encodings in a blacklist.

I'd guess Jay is already beavering away plugging this particular hole so that numeric entities are collapsed before checking for spam URLs. For all I know, that's already done (I upgraded to the latest version, just in case). In the longer term, though, I think this is a sign that MT-Blacklist is now sufficiently successful that comment spammers have become frustrated with being whacked moles and feel the need to move up the technological ladder. We need to respond not just with a fix for this one issue, but with a different approach to the problem.

Maybe that next answer is TypeKey, maybe not. But in an arms race, nothing ever gives superiority to one side for ever.

Posted by Ian at 6:47 PM in Spam | Permalink